Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-105
- Project: Subgroups for Organic Groups (third-party module)
- Version: 5.x
- Date: 2009-November-18
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Subgroups For Organic Groups module enables users to set group hierarchy. The module does not filter the titles of some nodes before output, leading to a cross-site scripting (XSS) vulnerability.
- Subgroups For Organic Groups versions for Drupal 5.x prior to 5.x-4.0
Drupal core is not affected. If you do not use the contributed Subgroups For Organic Groups module, there is nothing you need to do.
Upgrade to the latest version:
- If you use the Subgroups For Organic Groups 3.3 release for Drupal 5.x upgrade to version 5.x-3.4
- If you use the Subgroups For Organic Groups 2.0 release for Drupal 5.x upgrade to versions 5.x-3.4 or 5.x-4.0
See also the Subgroups For Organic Groups project page.
- The vulnerability was reported by Greg Knaddison
- XSS vulnerability fixed by Ezra Barnett Gildesgame, Subgroups For Organic Groups module maintainer
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.